Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Puppet write below /etc and new user_known_x macros! #563

Merged
merged 1 commit into from
Mar 15, 2019
Merged

Puppet write below /etc and new user_known_x macros! #563

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -909,7 +909,7 @@
gen_resolvconf., update-ca-certi, certbot, runsv,
qualys-cloud-ag, locales.postins, nomachine_binaries,
adclient, certutil, crlutil, pam-auth-update, parallels_insta,
openshift-launc, update-rc.d)
openshift-launc, update-rc.d, puppet)
and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
and not fd.name pmatch (safe_etc_dirs)
and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
Expand Down Expand Up @@ -1038,6 +1038,16 @@
or fd.name startswith /root/jvm
or fd.name startswith /root/.node-gyp)

# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
# programs writing below specific directories below
# / or /root.
#
# In this file, it just takes one of the condition in the base macro
# and repeats it.
- macro: user_known_write_root_conditions
condition: fd.name=/root/.bash_history

- rule: Write below root
desc: an attempt to write to any file directly below / or /root
condition: >
Expand All @@ -1055,6 +1065,7 @@
and not kubectl_writing_state
and not cassandra_writing_state
and not known_root_conditions
and not user_known_write_root_conditions
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
priority: ERROR
tags: [filesystem]
Expand Down Expand Up @@ -1657,6 +1668,15 @@
- macro: known_user_in_container
condition: (container and user.name != "N/A")

# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
# programs changing users by calling setuid.
#
# In this file, it just takes one of the condition in the base macro
# and repeats it.
- macro: user_known_non_sudo_setuid_conditions
condition: user.name=root

# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
- rule: Non sudo setuid
desc: >
Expand All @@ -1665,11 +1685,13 @@
condition: >
evt.type=setuid and evt.dir=>
and (known_user_in_container or not container)
and not user.name=root and not somebody_becoming_themself
and not user.name=root
and not somebody_becoming_themself
and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
nomachine_binaries)
and not java_running_sdjagent
and not nrpe_becoming_nagios
and not user_known_non_sudo_setuid_conditions
output: >
Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
command=%proc.cmdline uid=%evt.arg.uid)
Expand Down